Security26.09.2024

Major cellular network security flaw

Flaws in a signalling protocol used by telephone networks worldwide allow attackers to track mobile devices and intercept calls and SMS messages — all without compromising or infecting the target phone.

The security vulnerabilities are in Signalling System 7 (SS7), a standard developed in the 1970s for traditional telephone networks to manage call set-up, management, and teardown.

It remains in use on older-generation cellular technologies like 2G and 3G, and is entrenched as a standard for networks to exchange subscriber information to facilitate international roaming.

Most concerning, SRLabs in Germany has been warning about the problems in SS7 since 2008.

However, it wasn’t until they demonstrated an attack on German parliament minister Thomas Jarzombek in 2014 — with his permission — that people started to take note.

Once again, the security researchers warned that vulnerabilities in the protocol threatened users’ privacy and could lead to user tracking, fraud, denial of service, and call interception.

Two years later, the issue made headlines again — this time in the United States after a 60 Minutes report highlighted the dangers of the security weakness.

As part of the segment, 60 Minutes arranged for security expert Karsten Nohl to demonstrate how he could listen to a conversation of U.S. Congressman Ted Lieu by exploiting an SS7 security vulnerability.

60 Minutes reported that intelligence agencies knew about the security flaws, and they did not network operators to fix them.

Using just Lieu’s phone number, Nohl could intercept communications, track his location, and block his access to certain features.

Nohl explained at the time that the SS7 protocol was not centrally policed, that each mobile network had to protect its own customers, and that only they could ultimately solve the problem.

Another eight years later, the problem is still not fixed.

YouTuber Derek Muller, better known as Veritasium, recently demonstrated an SS7 attack against Linus Sebastian from Linus Tech Tips.

Muller was born to South African parents in Australia but grew up in Canada when his family emigrated so his father could take up a job in Vancouver.

He worked with Nohl and the telecoms security lead at POST Luxembourg, Alexandre de Oliveira, to execute the attack on Sebastian — with his permission.

Muller showed that with only Sebastian’s phone number, they could intercept phone calls and SMS messages, including texts containing one-time PINs.

Although many of SS7’s vulnerabilities are linked to signalling necessary for international calling, messaging, and roaming, Sebastian was connected to his home network in Canada at the time of the attack.

A critical step in executing an SS7 attack is gaining access to the system, as it was initially designed as a walled garden.

However, Muller said that this had actually become easier over time — not more difficult as one might expect for a vulnerability that has been disclosed for 16 years.

He explained that as more carriers and mobile virtual network operators launched around the world, it became easier for bad actors to access SS7.

“Those companies, some of them sell services on to third parties. Some of them can be bribed. Some of them can be hacked,” said Nohl.

“There are probably thousands of ways into SS7 at reasonable effort or cost.”

Nohl said buying a single SS7 connection isn’t that expensive, relatively speaking, and can be had for a few thousand U.S. dollars per month.

Once an attacker has access to the SS7 protocol and has gained trust within the system, they can execute a range of attacks.

These include intercepting communications intended for another number or using a network’s location services to track a device.

Screenshot of SS7 attack in action. Veritasium/YouTube

MyBroadband contacted South Africa’s major mobile network operators — Vodacom, MTN, Cell C, and Telkom — regarding how they protect their customers against SS7 attacks.

MTN South Africa explained that telecommunication service providers are advised to adopt the GSM Association (GSMA) recommendations for addressing SS7-related risk.

“Telecommunication service providers’ adoption of these recommendations can form part of a defence in depth approach towards addressing SS7-related risk,” MTN said.

“MTN has adopted the GSMA’s recommendations on addressing SS7-related risk by deploying SS7 firewalls within our global interconnect infrastructure and local South African environment, configured in accordance with the GSMA FS.11 guidance.”

Asked whether these protections work while roaming internationally, MTN said it depends on the roaming partner.

“The protection of subscribers from SS7-related risk is contingent on the appropriate safeguards being deployed by service providers in the subscriber’s home and visited networks.”

Vodacom said that it has mandatory, minimum-security requirements that are periodically assessed by an independent mobile network security entity.

“We also work closely with the GSMA and other security experts to research this issue and continually review and upgrade systems and processes to minimise risk,” Vodacom said.

Cell C and Telkom could not provide feedback by publication.

Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter